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Web-based applications greatly increase information availability and ease of access, which is optimal 
for public information. The distribution and sharing of information via the Web that must be accessed 
in a selective way, such as electronic commerce transactions, require the definition and enforcement 
of security controls, ensuring that information will be accessible only to authorized entities. Different 
approaches have been proposed that address the problem of protecting information in a Web system. 
However, these approaches typically operate at the file-system level, independently of the data that 
have to be protected from unauthorized accesses. Part of this problem is due to the limitations of 
HTML, historically used to design Web documents. The extensible markup language (XML), a markup 
language promoted by the World Wide Web Consortium (W3C), is de facto the standard language for 
the exchange of information on the Internet and represents an important opportunity to provide fine- 
grained access control. We present an access control model to protect information distributed on the 
Web that, by exploiting XML's own capabilities, allows the definition and enforcement of access 
restrictions directly on the structure and content of the documents. We present a language for the 
specification of access restrictions, which uses standard notations and concepts, together with a 
description of a system architecture for access control enforcement based on existing technology. 
The result is a flexible and powerful security system offering a simple integration with current 
solutions. 
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Publisher: ACM Press 

Full text available: ^| pdf(337.19 KB) Additional Information: full citation , abstract , references , index terms 

W3C Recommendations XML Encryption and XML-Digital Signature can be used to protect 
the confidentiality of and provide assurances about the integrity of XML documents 
transmitted over an insecure medium. The focus of this paper is how to control access to 
XML documents, once they have been received. This is particularly important for services 
where updates are sent to subscribers. We describe how certain access control policies for 
restricting access to XML documents can be enforced by encryptin ... 
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October 2005 Proceedings of the 14th ACM international conference on Information 
and knowledge management CIKM '05 

Publisher: ACM Press 

Full text available: ^ pdf( 129.07 KB) Additional Information: full citation , abstract , references , index terms 

XML documents are frequently used in applications such as business transactions and 
medical records involving sensitive information. Typically, parts of documents should be 
visible to users depending on their roles. For instance, an insurance agent may see the 
billing information part of a medical document but not the details of the patient's medical 
history. Access control on the basis of data location or value in an XML document is 
therefore essential. In practice, the number of access control ... 

Keywords: XML database, access control, expressiveness, fine-grained access control, 
rule functions 
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October 2005 Proceedings of the 14th ACM international conference on Information 
and knowledge management CIKM '05 

Publisher: ACM Press 

Full text available: ^| pdf( 392.38 KB) Additional Information: full citation , abstract, references , index terms 

With the emergence of XML as the de facto standard to exchange and disseminate 
information, the problem of regulating access to XML documents has attracted a 
considerable attention in recent years. Existing models attach authorizations to nodes of 
an XML document but disregard relationships between them. However, ancestor and 
sibling relationships may reveal information as sensitive as the one carried out by the 
nodes themselves (e.g., classification). This paper advocates the integration of rel ... 

Keywords: XML access control, XML relationship, data confidentiality, need-to-know and 
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control via NFA-based query rewritin g 

Bo Luo, Dongwon Lee, Wang-Chien Lee, Peng Liu 

November 2004 Proceedings of the thirteenth ACM international conference on 
Information and knowledge management CIKM '04 

Publisher: ACM Press 

Full text available: ffj pdff351.32 KB) Additional Information: full citation , abstract, references , dtings, index 
^ terms 

At present, most of the state-of-the-art solutions for XML access controls are either (1) 
document-level access control techniques that are too limited to support fine-grained 
security enforcement; (2) view-based approaches that are often expensive to create and 
maintain; or (3) impractical proposals that require substantial security-related support 
from underlying XML databases. In this paper, we take a different approach that assumes 
no security support from underlying XML databases and exa ... 

Keywords: XML security, data security and privacy, query rewriting 



Access control for XML data: A role-based a p proach to access control for XML 
databases 

Jingzhu Wang, Sylvia L. Osborn 

June 2004 Proceedings of the ninth ACM symposium on Access control models and 
technologies 

Publisher: ACM Press 

Full text available: Q pdfd 95.95 KB) Additional Information: full citation , abstract , references , index terms 

In order to provide a general access control methodology for parts of XML documents, we 
propose combining role-based access control as found in the Role Graph Model, with a 
methodology originally designed for object-oriented databases. We give a description of 
the methodology, showing how different access modes, XPath expressions and roles can 
be combined, and how propagation of permissions is handled. Given this general 
approach, a system developer can design a complex authorization model for c ... 

Keywords: role-based access control, xml databases 



Access c ontrol for XML data: Specif ying access control polici es for XML do cuments Q 
with XPath 

Irini Fundulaki, Maarten Marx 

June 2004 Proceedings of the ninth ACM symposium on Access control models and 



technologies 
Publisher: ACM Press 

Full text available: ^pdf (1 86.26 KB) Additional Information: full citation , abstract , references , index terms 

Access control for XML documents is a non-trivial topic, as can be witnessed from the 
number of approaches presented in the literature. Trying to compare these, we 
discovered the need for a simple, clearand unambiguous language to state the declarative 
semantics of an access control policy. All current approaches state the semantics in 
natural language, which has none of the above properties. This makes it hard to assess 
whether the proposed algorithms are correct (i.e., really implement the des ... 

Keywords: xml, xml access control, xpath 



XML security: Concept-level access control for the Semantic Web 
Li Qin, Vijayalakshmi Atluri 

October 2003 Proceedings of the 2003 ACM workshop on XML security 
Publisher: ACM Press 

Full text available: pdf( 320.46 KB ) Additional Information: full citation , abstract , references , index terms 

Recently, the notion of the Semantic Web has been introduced to define a machine- 
interpretable web targeted for automation, integration and reuse of data across different 
applications. Under the Semantic Web, web pages are annotated by concepts that are 
formally defined in ontologies along with the relationships among them. As information 
pertaining to different concepts has varying access control requirements, in this paper, we 
propose an access control model for the semantic web that is capabl ... 

Keywords: Semantic Web, access control, concept, ontology, propagation 



XML access control: A bitmap-based access control for restricted views of XML 
documents 

Abhilash Gummadi, Jong P. Yoon, Biren Shah, Vijay Raghavan 

October 2003 Proceedings of the 2003 ACM workshop on XML security 

Publisher: ACM Press 

Full text available: * g| pdf(268.58 KB) Additional Information: full citation , abstract , references , index terms 

The information on the web is growing at a very fast pace. In this ever-accumulating 
data, the volume of information represented in XML format is on the rise in recent times. 
An organization that puts forth its information on the web in XML format has several 
issues to take into account such as limiting the view of intended audience to only relevant 
portions of the documents. To address this problem, we propose the concept of 
"Restricted views" to implement security in XML documents. This could ... 

Keywords: XML, access control, bitmap, restricted views, security, security cube 



XML access control: Access control of XML documents considerin g u pdate 
o perations 

Chung-Hwan Lim, Seog Park, Sang H. Son 

October 2003 Proceedings of the 2003 ACM workshop on XML security 
Publisher: ACM Press 

Full text available: pdf( 298.78 KB) Additional Information: full citation , abstract , references , index terms 

As a large quantity of information is presented in XML format on the Web, there are 
increasing demands for XML security. Until now, research on XML security has been 
focused on the security of data communication using digital signatures or encryption 



technologies. As XML is also used for a data representation of data storage, XML security 
comes to involve not only communication security but also managerial security. 
Managerial security is guaranteed through access control, but existing XML acces ... 

Keywords: XML document, XML update, access control 



10 Access control: Derived access control specification for XML 
Siddhartha K. Goel, Chris Clifton, Arnon Rosenthal 

October 2003 Proceedings of the 2003 ACM workshop on XML security 
Publisher: ACM Press 

Full text available: ^|pdf(203.93 KB) Additional Information: full citation , abstract , references , index terms 

The growth in interchange of business and other sensitive data has led to increasing 
interest in access control. While broad-based access control may be adequate for library- 
style document bases, new applications demand different access rights on different 
documents, or different parts of a document. Methods have been developed that enforce 
fine-grained access control in XML, but the administrative complexity of hard-coding rules 
is still a challenge. We present an XQuery-based approach for deri ... 

Keywords: XML, access control 




11 Access control: XML access control usin g static analysis 
Makoto Murata, Akihiko Tozawa, Michiharu Kudo, Satoshi Hada 
October 2003 Proceedings of the 10th ACM conference on Computer and 

communications security 
Publisher: ACM Press 

Full text available- 13 odf(357 99 KB) Addit ' onal Information: full citation, a bstract , r eferen ces, citings, index 
U 6 V ' TZd ^ — : terms 

Access control policies for XML typically use regular path expressions such as XPath for 
specifying the objects for access control policies. However such access control policies are 
burdens to the engines for XML query languages. To relieve this burden, we introduce 
static analysis for XML access control. Given an access control policy, query expression, 
and an optional schema, static analysis determines if this query expression is guaranteed 
not to access elements or attributes that are permitt ... 

Keywords: XML, XPath, XQuery, access control, automaton, query optimization, schema, 
static analysis 



12 A fine-grained access control system for XML documents 

Ernesto Damiani, Sabrina De Capitani di Vimercati, Stefano Paraboschi, Pierangela Samarati 
May 2002 ACM Transactions on Information and System Security (TISSEC), volume 5 

Issue 2 
Publisher: ACM Press 

Full text available- ff) D df(330.60 KB) Addltional Information: fall citation , abstract, references , c^ngs, index 

terms 

Web-based applications greatly increase information availability and ease of access, which 
is optimal for public information. The distribution and sharing of information via the Web 
that must be accessed in a selective way, such as electronic commerce transactions, 
require the definition and enforcement of security controls, ensuring that information will 
be accessible only to authorized entities. Different approaches have been proposed that 
address the problem of protecting information in a Web ... 
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enterprise-wide access control 

Rafae Bhatti, Arif Ghafoor, Elisa Bertino, James B. D. Joshi 

May 2005 ACM Transactions on Information and System Security (TISSEC), volume 8 

Issue 2 
Publisher: ACM Press 

Full text available: Q pdf ( 1.60 MB) Additional Information: full citation , abstract , references , index terms 

Modern day enterprises exhibit a growing trend toward adoption of enterprise computing 
services for efficient resource utilization, scalability, and flexibility. These environments 
are characterized by heterogeneous, distributed computing systems exchanging enormous 
volumes of time-critical data with varying levels of access control in a dynamic business 
environment. The enterprises are thus faced with significant challenges as they endeavor 
to achieve their primary goals, and simultaneously ens ... 

Keywords: XML, role-based access control, secure enterprises 




14 Access control for XML document: Relevancy based access control of versioned 
XML documents 

Mizuho Iwaihara, Somchai Chatvichienchai, Chutiporn Anutariya, Vilas Wuwongse 
June 2005 Proceedings of the tenth ACM symposium on Access control models and 

technologies 
Publisher: ACM Press 

Full text available: g| pdf(219.95 KB ) Additional Information: full citation , abstract , references , index terms 

Integration of version and access control of XML documents has the benefit of regulating 
access to rapidly growing archives of XML documents. Versioned XML documents provide 
us with valuable informations on dependencies between document nodes, but at the same 
time presenting the risk of undesirable data disclosure. In this paper we introduce the 
notion of relevancy-based access control, which realizes protection of versioned XML 
documents by various types of relevancy, such as version dependenci ... 
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Publisher: ACM Press 

Full text available: ^pdf(461.87 KB) Additional Information: full citation , abstract , references , index terms 

Protecting information over the Web is today becoming a primary need. Although many 
access control models have been so far proposed to address the specific protection 
requirements of the web environment, no comparable amount of work has been done for 
finding efficient techniques for performing access control. We believe that the availability 
of techniques for speeding-up access control is a key issue to make an access control 
model widely acceptable. This is particularly crucial in an environmen ... 
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We investigate a generalization of the notion of XML security view introduced by Stoica 
and Farkas [17] and later refined by Fan et al. [8]. The model consists of access control 
policies specified over DTDs with XPath expression for data-dependent access control 
policies. We provide the notion of security views for characterizing information accessible 
to authorized users. This is a transformed (sanitized) DTD schema that can be used by 
users for query formulation and optimization. Then w ... 
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Publisher: ACM Press 

Full text available:^ pdf(1 60.07 KB) Additional Information: full citation, ab stra ct, references, index terms 

In the last few years, an increasing amount of si-structured data have become available 
electronically to humans and programs. In such a context, XML is rapidly erging as the 
new standard for si-structured data representation and exchange on the Internet. 
Securing XML data is then becoming increasingly important and several attpts at 
developing methods for securing XML data have been proposed. However, these proposals 
do not take into consideration scenarios where users want to query XML data by ... 

Keywords: XML, XML access control, XQuery 



18 XML access control: RDF metadata for XML access control 
Vaibhav Gowadia, Csilla Farkas 

October 2003 Proceedings of the 2003 ACM workshop on XML security 
Publisher: ACM Press 

Full text available- fi3 Ddf(21 5 84 KB) Additional Information: full citation , abstract , refe rence s , index terms . 
™ review 

In this paper we present an access control framework that provides flexible security 
granularity for XML documents. RDF statements are used to represent security objects 
and to express security policy. The concepts of simple security object and association 
security object are defined. Our model allows to express and enforce access control on 
XML trees and their associations. Access control rules, corresponding to (s, o, ±a) triples, 
are represented as RDF statements with properties ... 

Keywords: RDF metadata, RXACL, XML security, access control, association objects, 
flexible security granularity, tree extension 



19 Session 2: secure Web services: Designing a distributed access control processor for j| 
network services on the Web 
Reiner Kraft 

November 2002 Proceedings of the 2002 ACM workshop on XML security 
Publisher: ACM Press 




Full text available: ^pdf (301.14 KB ) Additional Information: full citation , abstract , references , index terms 

The service oriented architecture (SOA) is gaining more momentum with the advent of 
network services on the Web. A programmable and machine accessible Web is the vision 
of many,and might represent a step towards the semantic Web. However, security is a 
crucial requirement for the serious usage and adoption of the Web services technology. 
This paper enumerates design goals for an access control model for Web services. It then 
introduces an abstract general model for Web services components, along ... 

Keywords: Web services, XML, access control, security 



20 Session 3: XML applications: Regulating access to SMIL formatted pay-per-view 
movies 

Naren Kodali, Duminda Wijesekera 

November 2002 Proceedings of the 2002 ACM workshop on XML security 
Publisher: ACM Press 

Full text available: ^) pdf(331.16 KB) Additional Information: full citation , abstract , references , index terms 

XML [15] has become a standard format for information that moves within the World 
Wide Web. Previous work in securing XML documents concentrated mainly on textual 
documents. Those proposals are ineffective in the context of multimedia, which mostly 
comprises of some sensible combination of images, text, audio, and video. As multimedia 
constitutes a significant component of the traffic within the Internet, it requires to be 
secured. We propose an access control model and an encryption mechanism t ... 

Keywords: SMIL, XML, access control, encryption, integrity, pay-per-view, smart card, 
synchronized multimedia 
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The YGuard access control model: set-based access control 
Ty van den Akker, Quinn O. Snell, Mark J. Clement 

May 2001 Proceedings of the sixth ACM symposium on Access control models and 

technologies 
Publisher: ACM Press 

Full text available: pdf(275.75 KB) Additional Information: full citation, abstract , references , index terms 

As Internet usage proliferates, resource security becomes both more important and more 
complex. Contemporary users and systems are ill-equipped to deal with the complex 
security demands of a ubiquitous, insecure network. The YGuard Access Control Model, 
developed at Brigham Young University, employs set-based access control lists, XML, and 
a modular architecture to provide users with an intuitive, extensible, and efficient method 
of controlling access to system resources. The implementat ... 



Keywords: XML, XSet, XWeb, YGuard, access control list, access control model, set 



22 Fine grained access control for SOAP E-services 

Ernesto Damiani, Sabrina De Capitani di Vimercati, Stefano Paraboschi, Pierangela Samarati 
April 2001 Proceedings of the 10th international conference on World Wide Web 
Publisher: ACM Press 

Full text available: *g) pdf(258.34 KB) Additional Information: full citation , references , citings , index terms 




Keywords: SOAP, XML, access control, certificates, roles 



23 Virtual enterprise access control requirements 
M. Coetzee, Jan H. P. Eloff 

September 2003 Proceedings of the 2003 annual research conference of the South 

African institute of computer scientists and information technologists 
on Enablement through technology SAICSIT '03 

Publisher: South African Institute for Computer Scientists and Information Technologists 

Full text available: ^ pdfd 26.63 KB) Additional Information: full citation , abstract , references , index terms 

Current developments in IT point towards the formation of loosely coupled enterprises, 
often referred to as virtual enterprises. These enterprises require both secure and flexible 
collaboration between unrelated information systems. Web services technology can be 



used as an ideal platform for realising virtual enterprises throughh their ease of 
integration, flexibility, and support of XML vocabularies. To ensure the successful 
implementation of Web services within virtual enterprises, new approa ... 

Keywords: B2B, SOAP, XML, access control, design, federation, management, roles, 
security, standardization, trust, virtual enterprises, web services 



24 X-gtrbac admin: A decentralized administration model for enterprise-wide access 
control 

Rafae Bhatti, Basit Shafiq, Elisa Bertino, Arif Ghafoor, James B. D. Joshi 
November 2005 ACM Transactions on Information and System Security (TISSEC), 

Volume 8 Issue 4 
Publisher: ACM Press 

Full text available: ^ pdft/SI. 36 KB) Additional Information: full citation , abstract , references , index terms 

The modern enterprise spans several functional units or administrative domains with 
diverse authorization requirements. Access control policies in an enterprise environment 
typically express these requirements as authorization constraints. While desirable for 
access control, constraints can lead to conflicts in the overall policy in a multidomain 
environment. The administration problem for enterprise-wide access control, therefore, 
not only includes authorization management for users and resourc ... 

Keywords: XML, policy administration, role-based access control, secure interoperation 



25 Role administration: X-GTRBAC admin: a decentralized administration model for 
enterprise wide access control 
Rafae Bhatti, James Joshi, Elisa Bertino, Arif Ghafoor 

June 2004 Proceedings of the ninth ACM symposium on Access control models and 

technologies 
Publisher: ACM Press 

Full text available: ^ pdf(260.71 KB) Additional Information: full citation , abstract , references , index terms 

Access control in enterprises is a key research area in the realm of Computer Security 
because of the unique needs of the target enterprise. As the enterprise typically has large 
user and resource pools, administering the access control based on any framework could 
in itself be a daunting task. This work presents X-GTRBAC Admin, an administration model 
that aims at enabling policy administration within a large enterprise. In particular, it 
simplifies the process of user-to-role and permission-to ... 

Keywords: XML, decentralized administration, role based access control, temporal 
constraints 



26 Poster Session: Access control for XML: a dynamic query rewriting a pproach 
Sriram Mohan, Arijit Sengupta, Yuqing Wu 

October 2005 Proceedings of the 14th ACM international conference on Information 
and knowledge management CIKM '05 

Publisher: ACM Press 

Full text available: ^) pdf(87.91 KB) Additional Information: full citation , abstract , references , index terms 

Being able to express and enforce role-based access control on XML data is a critical 
component of XML data management. However, given the semi-structured nature of XML, 
this is non-trivial, as access control can be applied on the values of nodes as well as on 
the structural relationship between nodes. In this context, we adopt and extend a graph 
editing language for specifying role-based access constraints in the form of security views. 






A Security Annotated Schema (SAS) is proposed as the inter .. 
Keywords: XML, access control, query rewrite, security view 



27 Session 4: Web service a p plications: Dynamically authorized role-based access 
control for secure distributed com putation 
C. Joncheng Kuo, Polar Humenn 

November 2002 Proceedings of the 2002 ACM workshop on XML security 
Publisher: ACM Press 

Full text available: |£] pdf(171.18 KB) Additional Information: full citation , abstract , references , index terms 

This paper presents a mechanism for using the Object Management Group's Common 
Secure Interoperability Version 2 (CSIv2), Authorization Token Layer Acquisition Service 
(ATLAS), and XML security standards such as Security Assertion Markup Language (SAML) 
to develop role-based access control (RBAC) in a secure distributed computation 
systemThe need for RBAC became evident in this kind of system because the 
components of the system are configured dynamically in specific neighbor relationships to 
e ... 

Keywords: CORBA, Role-based access control, XML-based security assertions, attribute 
certificates, authorization domain 




28 Access control: An access control framework for business processes for web 
services 

Hristo Koshutanski, Fabio Massacci 

October 2003 Proceedings of the 2003 ACM workshop on XML security 
Publisher: ACM Press 

,_ „ , ., us A . </ocn cc u, DX Additional Information: full citation , abstract , references , index terms, 
Full text available: TO pdf(269.56 KB 

^ review 

Business Processes for Web Services are the new paradigm for the lightweight integration 
of business from different enterprises. Whereas the security and access control policies for 
basic web services and distributed systems are well studied and almost standardized, 
there is not yet a comprehensive proposal for an access control architecture for business 
processes. The major issue is that a business process describe complex services that cross 
organizational boundaries and are provided by entitie ... 

Keywords: controlled disclosure, distributed systems security, e-business, interactive 
access control, security management, web services 



29 Activeweb: XML-based active rules for web view derivations and access control 
Hidenari Kiyomitsu, Atsunori Takeuchi, Katsumi Tanaka 

January 2001 Australian Computer Science Communications , Proceedings of the 

workshop on Information technology for virtual enterprises ITVE '01 , 
Proceedings of the workshop on Information technology for virtual 

enterprises ITVE '01, Volume 23 Issue 6 
Publisher: IEEE Computer Society , IEEE Computer Society , IEEE Computer Society Press 

Full text available:^ pdf(905.05 KB) ...... , 

i=| Additional Information: full citat ion, abstract , references 

^ Publisher Site 

In this paper, we propose an idea of using XML-based active rules for deriving Web views 
and for defining access control by user access behaviors. The major objective of the 
proposed method is to reflect author(creator)'s intention about his/her Web data and its 



link structures. In our ActiveWeb, the view of a Web page including its hyperlinks is 
changed according to each user's browsing situation including access history or the 
aggregated information about all users' access histories. In ... 

Keywords: ECA rules, XML, activeweb, internet application, spatio-temporal, web 
personalization, web views 



30 Workshop on testin g, anal ysis and verification of web services (TAV-WEB ) pa pers: 
^ Static analysis of role-based access control in J2EE a p plications 

^ Gleb Naumovich, Paollna Centonze 

September 2004 ACM SIGSOFT Software Engineering Notes, volume 29 issue 5 

Publisher: ACM Press 

Full text available: ^) pdf(1 10.63 KB) Additional Information: full citation , abstract , references 

This work describes a new technique for analysis of Java 2, Enterprise Edition (J2EE) 
applications. In such applications, Enterprise Java Beans (EJBs) are commonly used to 
encapsulate the core computations performed on Web servers. Access to EJBs is protected 
by application servers, according to role-based access control policies that may be created 
either at development or deployment time. These policies may prohibit some types of 
users from accessing specific EJB methods. We present a static te ... 

31 Access control: First experiences usin g XACML for access control in distributed 
s ystems 

Markus Lorch, Seth Proctor, Rebekah Lepro, Dennis Kafura, Sumit Shah 
October 2003 Proceedings of the 2003 ACM workshop on XML security 

Publisher: ACM Press 

Full text available* f" 1 ) df(459 30 KB) Add ' tional Information: full citation , abstract , references, citings, index 
• [Aj : terms , review 

Authorization systems today are increasingly complex. They span domains of 
administration, rely on many different authentication sources, and manage permissions 
that can be as complex as the system itself. Worse still, while there are many standards 
that define authentication mechanisms, the standards that address authorization are less 
well defined and tend to work only within homogeneous systems. This paper presents 
XACML, a standard access control language, as one component of a distributed a ... 

Keywords: access control decision, access control enforcement, authorization, distributed 
system security, policy language, policy management 



32 Re ports: Report on th e 9th ACM sym posium on access control models and 
^ technologies (SACMAT'04) 
^ Elena Ferrari 

September 2004 ACM SIGMOD Record, volume 33 issue 3 

Publisher: ACM Press 

Full text available: ^|pdf(111.20 KB) Additional Information: f ull cita tion, abstract 

SACMAT04 was held on June 2-4, 2004, at Yorktown Heights, New York, USA and was 
hosted by IBM TJ. Watson Research Center. The symposium, which was colocated with 
the IEEE International Workshop on Policies for Distributed Systems and Networks 
(POLICY 2004), continues its tradition of being the premier forum for presentation of 
research results and experience reports on leading edge issues of access control and 
related technologies, including models, systems, applications, and theory. SACMA ... 
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Access control policy implementation: Succinct specifications of portable document 



access policies 

Marina Bykova, Mikhail Atallah 

June 2004 Proceedings of the ninth ACM symposium on Access control models and 

technologies 
Publisher: ACM Press 

Full text available: ^ pdf(210.88 KB) Additional Information: full citation , abstract , references , index terms 

When customers need to each be given portable access rights to subset of documents 
from large universe of n vailable documents, it is often the case that the space vailable for 
representing each customer's access rights is limited to much less than n, say it is no 
more than m bits. This is the case when, e.g., limited-capacity inexpensive cards are used 
to store the access rights to huge multimedia document databases. How does one 
represent subsets of huge set of n el ... 

Keywords: access control, access control enforcement, algorithm design, compact policy 
representation, computational complexity, portable access rights 



34 Ap plications: Context sensitive access control 

#R. J. Hulsebosch, A. H. Salden, M. S. Bargh, P. W. G. Ebben, J. Reitsma 
June 2005 Proceedings of the tenth ACM symposium on Access control models and 

technologies 
Publisher: ACM Press 

Full text available: 'g) pdf( 145.62 KB ) Additional Information: full citation, abstract , references, index terms 

We investigate the practical feasibility of using context information for controlling access 
to services. Based solely on situational context, we show that users can be transparently 
provided anonymous access to services and that service providers can still impose various 
security levels. Thereto, we propose context-sensitive verification methods that allow 
checking the user's claimed authenticity in various ways and to various degrees. More 
precisely, conventional information management approac ... 

Keywords: access control, authentication, context sensitive, context verification, service 
usage patterns 



35 Secur e and selective dissemination of XML documents 
Elisa Bertino, Elena Ferrari 

August 2002 ACM Transactions on Information and System Security (TISSEC), volume 5 

Issue 3 
Publisher: ACM Press 

t- .1* ^* i ui a jr/coo. i/m Additional Information: full citation , abstract , references , citings, index 

Full text available: TH pdf(678.34 KB) ° 

^ terms 

XML (extensible Markup Language) has emerged as a prevalent standard for document 
representation and exchange on the Web. It is often the case that XML documents contain 
information of different sensitivity degrees that must be selectively shared by (possibly 
large) user communities. There is thus the need for models and mechanisms enabling the 
specification and enforcement of access control policies for XML documents. Mechanisms 
are also required enabling a secure and selective dissemina ... 

Keywords: Access control, XML, secure distribution 



36 A compressed accessibility map for XML 

^ Ting Yu, Divesh Srivastava, Laks V. S. Lakshmanan, H. V. Jagadish 

>^ June 2004 ACM Transactions on Database Systems (TODS), volume 29 issue 2 



Publisher: ACM Press 

Full text available: pdf(528.00 KB) Additional Information: full citation , abstract , references , index terms 

XML is the undisputed standard for data representation and exchange. As companies 
transact business over the Internet, letting authorized customers directly access, and 
even modify, XML data offers many advantages in terms of cost, accuracy, and timeliness. 
Given the complex business relationships between companies, and the sensitive nature of 
information, access must be provided selectively, using sophisticated access control 
specifications. Using the specification directly to determine if a us ... 

Keywords: Access control, XML, structural locality 



37 Research sessions: security and privacy: Secure XML q uerying with security views 
Wenfei Fan, Chee-Yong Chan, Minos Garofalakis 

June 2004 Proceedings of the 2004 ACM SIGMOD international conference on 
Management of data 

Publisher: ACM Press 

Full text available: 'g) pdf(229.47 K B) Additional Information: full citation , abstract , references 

The prevalent use of XML highlights the need for a generic, flexible access-control 
mechanism for XML documents that supports efficient and secure query access, without 
revealing sensitive information unauthorized users. This paper introduces a novel 
paradigm for specifying XML security constraints and investigates the enforcement of such 
constraints during XML query evaluation. Our approach is based on the novel concept of 
security views, which provide for each user group (a) an XML view ... 

38 On specifying security policies for web documents with an XML-based langua ge 
Elisa Bertino, Silvana Castano, Elena Ferrari 

May 2001 Proceedings of the sixth ACM symposium on Access control models and 
technologies 

Publisher: ACM Press 

Full text available: • pdf(290.20 KB) Additional lnformation: McitatiQn, abstract, references, citings, index 
^ term s 

The rapid growth of the Web and the ease with which data can be accessed facilitate the 
distribution and sharing of information. Information dissemination often takes the form of 
documents that are made available at Web servers, or that are actively broadcasted by 
Web servers to interested clients. In this paper, we present an XML-compliant formalism 
for specifying security-related information for Web document protection. In particular, we 
introduceX-Sec, an XML-based lang ... 

Keywords: XML, access control, security policies, subject credentials 



39 Key mana g ement and key exchange: A temporal key management scheme for 
secure broadcastin g of XML documents 
Elisa Bertino, Barbara Carminati, Elena Ferrari 

November 2002 Proceedings of the 9th ACM conference on Computer and 

communications security 
Publisher: ACM Press 

Full text available: ^|pdf( 242.89 KB) Additional Information: full citation , abstract , references , index terms 

Secure broadcasting of web documents is becoming a crucial need for many web-based 
applications. Under the broadcast document dissemination strategy a web document 
source periodically broad-casts (portions of) its documents to a possibly large community 
of subjects, without the need of explicit subject requests. By secure broadcasting we 
mean that the delivery of information to sub-jects must obey the access control policies of 




the document source. Since different subjects may have the right to . 
Keywords: XML, secure broadcasting, temporal key management 




40 Model driven security: From UML models to access control infrastructures 

# David Basin, Jurgen Doser, Torsten Lodderstedt 
January 2006 ACM Transactions on Software Engineering and Methodology (TOSEM), 



We present a new approach to building secure systems. In our approach, which we call 
Model Driven Security, designers specify system models along with their security 
requirements and use tools to automatically generate system architectures from the 
models, including complete, configured access control infrastructures. Rather than fixing 
one particular modeling language for this process, we propose a general schema for 
constructing such languages that combines languages for modeling systems with ... 

Keywords: Model Driven Architecture, Object Constraint Language, Role-Based Access 
Control, Unified Modeling Language, metamodeling, security engineering 
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